Chapter 6 Security

Issuing Test Request to an SSL Server

While diagnosing problems between Web Server 7.0 and web browsers, it
is useful to analyze the requests and responses. When SSL/TLS is not used,
for capturing requests and responses between web browser and the server you
can use any network capture tool such as ethereal.

But when SSL/TLS is used for communication, you can use the OpensSSL's s_client application for tapping the communication.

Execute the following command (after successful SSL connection) and
enter the test HTTP request as desired.

$openssl s_client -host localhost -port 8080 -quiet

By using the same command without the -quiet flag,
you can see information about the connection, such as the server DN, Certificate
name and negotiated cipher suite.

For more information, see the s_client man page at http://www.openssl.org/docs/apps/s_client.html.

Analyzing SSL Requests

Earlier method of issuing test request works well as long as you can
recreate the request content manually. But sometimes you need to diagnose
a connection that is being used by a web browser.

There are a number of tools available to observe such request and response
data. One such tool is ssltap. ssltap takes
the proxy approach-it serves as a simple proxy between the client and the
Web Server and displays information about the connections it forwards (you
can also use ssltap for observing plain HTTP requests
or even requests based on other protocols).

Assume that Web Server is running with an SSL-enabled listener on port
8088 on a machine. Now issue the following command:

This is the SSL client hello being sent from the browser to the server.
Note the list of cipher suites the browser has sent. This is the set of cipher
suites the browser is configured to handle (note that they are sorted in order
of preference). The server will pick one of those for the handshake (if the
server is not set up to handle any of these, the connection will then immediately
fail). In the above snippet, the session-id is empty, which tells you the
browser does not have any cached SSL session with this particular server.

The server picked TLS/RSA/AES256-CBC/SHA as the cipher
suite to use. A session ID was sent, which this client will include in subsequent
requests. The server also sent its certificate chain for the browser to verify. ssltap saved these certificates in the files noted cert.001 and cert.002. You can examine these certificates with any tool that
can parse X.509 certificates. For example, execute the following command:

$openssl x509 -in cert.001 -text -inform DER

Note –

ssltap is a single threaded proxy server. So
if you issue multiple requests through it, the requests will get serialized.
If you need to analyze a specific problem with your application that only
occurs on concurrent requests through SSL, try running multiple ssltap instances.